KubeCon + CloudNative North America 2021

A Software Bill of Materials or SBoM is a list of software components that comprise a software artifact, be it firmware, OS, a VM, and yes, a container. We can generate an SBoM for container images post build using image scanners like Claire, Trivy, Tern, and Syft. This method is not foolproof, however, as they rely on metadata existing in the container filesystem (such as package manifests) in order to report on them. If a container goes through a multistage build or tools like Docker-slim to reduce the attack surface of the container, all that metadata is gone. How do we get more accurate and consistent SBoMs for containers? We generate them at container build time. This talk demonstrates how we can do that with tools like Tern, Buildah, and the OCI specification. We will get back to the basics of building containers, learn about the OCI specification, and make a container builder which can generate an SBoM at build time.

There is now sufficient competition in the cloud computing space that all the major cloud providers are competing directly on pricing. Like any other market, there are significant opportunities for savings if an organization is willing to periodically switch to more competitive service providers. However, the engineering cost of a cloud provider migration typically negates those savings – but that doesn't have to be the case. This talk will cover a two-year journey spanning several cloud providers, and how to avoid vendor lock-in by making cloud agnostic design a first-class consideration. A case study will be provided on how embracing open source projects like Kubernetes, Terraform, and Helm permitted lightning-fast migration to and from cloud providers driven by economic incentives. The high level details of Corsha's Infrastructure-as-code strategy will be discussed, and how an early commitment to this approach has resulted in flexible and efficient cloud native app deployments.

Have you made the jump to microservices only to discover the development experience is less than ideal? We get it, microservices can be HARD, but they don’t have to be. In this session we will help you simplify your developer interloop and boost your productivity. We will focus on Dapr and Bridge to Kubernetes, both open source, and geared towards simplifying your life as a developer. Dapr is a portable, event-driven runtime that makes it easy for any developer to build resilient, stateless, and stateful applications using any language, targeting any cloud or the edge. Bridge to Kubernetes uses Envoy to extend the Kubernetes perimeter to your development computer allowing you to write, test, and debug microservice code while connected to any Kubernetes cluster with the rest of your application or services. The bridge to microservices harmony can be messy, but a technical deep dive powered by the open-source tooling will have you looking Dapr in no time.

Kubernetes emerged as A Good Idea® in part because it gives you real-time, circular feedback: it's a control loop. Something watches, something reacts, equilibrium is maintained. In this talk we’ll discuss how this model is useful not only for orchestrating containers, but for many applications that handle real-time feedback loops. And thanks to Kubernetes, most of the scaffolding for it is already out there, ready to be used. As a use-case the speaker will talk about a development tool that reacts to source code and server status changes in real-time—a perfect match for a Kubernetes-style control loop. Adopting control loops led to a simpler, more modular app. It made the codebase easier to grasp for new developers, and the application as a whole more uniform and easy to extend. Plus, Kubernetes already has a rich ecosystem of tools for it. Lastly, the speaker will discuss other examples in which this model applies and whether this model makes sense for your own applications.

The Kubernetes ecosystem has thousands of controller implementations for different applications and platform capabilities. A controller’s correctness is therefore critical, and yet, can be compromised by myriad factors, such as asynchrony in the overall distributed system, unexpected failures, networking issues, and controller restarts. This in turn can lead to severe safety violations, such as incorrectly deleting StatefulSets and PVCs. Controller-developers unfortunately lack automated testing tools to harden their code against these conditions. In this talk, Xudong Sun and Lalith Suresh will describe common bug patterns in Kubernetes controllers. They will also present an automated testing tool called Sieve, which systematically tests Kubernetes controllers to harden them against the aforementioned scenarios. Sieve has already discovered (and led to fixes for) several safety-critical bugs in popular Kubernetes controllers for Zookeeper, Cassandra, RabbitMQ, MongoDB, XtraDB, etc.

Is your bookmark bar filled to the brim with links to internal infrastructure tools? Are you using spreadsheets to track the state of your software and infrastructure? Does your company suffer from fragmentation, like hundreds of startups glued together? Then this talk is for you! It will tell the story of how Spotify created a service catalog to bring order to thousands of microservices. It grew to become Backstage, an internal developer portal supporting not just services, but also machine learning models, documentation, over 9000 data pipelines, and much more. With 115 plugins contributed by 58 different teams, Backstage is now Spotify’s single pane of glass for the entire engineering organization. In 2020 Backstage and its software catalog was open sourced and donated to the CNCF, making it available for everyone to use. The talk will also walk you through strategies for adopting Backstage in an existing organization, and how to bootstrap your own catalog.

The session will shed light work of improving Razorpay's dev experience using a bunch of open source tools that scales to 100's of engineers,in a secure and compliant fashion We talk about extending cloud native development to local desktop,how it integrates with our overall kubernetes driven CI/CD workflows.In a nutshell,the session describes building a dev centric packaged environment for reducing their cognitive load while developing sofware This talk brings clarity to the application cluster development , and shows the work being done on aggregating various open source solutions like helmfile for describing and setting up a micro service fleet , traefik routing,header propagation for ephemeral service access ,helm hooks for auxilary app requirements like queues,databases,vendor cloud components, hot reloading and devspace for integrated dev local development/debugging and autoscaler,janitor,botkube etc for cluster segregation and management In the end ,this talk hopefully aligns the developers,practitioners and operators to the benefit of local development with faster iterations , customizable dev tools in remote kubernetes cluster with an extremely simplified , cost effective ,git ops native and agile solution impacting the entire org's dev productivity

Most of us have used curl to download a script and run it immediately. Using curl | bash provides instant gratification. We can quickly get up and running with an application without requiring a steep learning curve or a strong attention span. Unfortunately, the common advice is that this is not safe! But what if it was?

Let's walk through how we can work with people's natural tendencies, keep the one-liner and make it more secure. We will use Porter and Notary to transform an example cloud-native application deployment from a dicey bash script, executed with bash and hope, into a safer one-liner installation that was designed to be used in production.

You will learn:

• Why curling a script to bash is insecure, and why bundles mitigate those risks.
• How to reuse existing tools and scripts in a bundle, without starting over from scratch.
• What a safer one-line user experience could look like.

Deploying applications on Kubernetes is getting easier every day. From a minimal deployment to distributed service mesh enabled applications with planning and a little bit of YAML resilient cloud-native applications are the norm. In this session, Christopher Bradford and Ty Morton will help answer the following questions: - What about your data behind these apps? - Are you running those in a multi-cluster environment or sending everything back to a common location? - How do you modernize to a distributed peer-to-peer data architecture? - How do you plan for this change? - Are there pitfalls on the road to enlightened data? Join this session to explore the key concepts needed when investigating multi-cluster deployments for data. This includes: - Cluster planning - Network design - Security - Failure handling

You know the registry as your most boring friend. You push and pull images, and it just works, but have you ever taken the time to really get to know it? What is the registry really like behind that unassuming OCI specification? What does it do when it’s not just distributing your images? Maybe it gets a little crazy on the weekend - maybe it has hidden talents you don’t know about. What would happen if this thankless hero went rogue? In this talk we will demonstrate unconventional registry implementations, including those that serve self-modifying and dynamically generated images. Along the way we’ll also take a look at how clients can utilize registries in interesting and unexpected ways, e.g. as a content-addressable key-value store or a general-purpose directed acyclic graph database. Attendees will walk away with a better understanding of what guarantees OCI images and registries provide, as well as how they can exploit the registry’s flexibility to benefit their own use cases.

Gopay, one of the biggest payments companies in South East Asia, processes transactions worth billions of dollars, with peak scale of more than 15000 financial transactions per minute. Gopay has heavily adopted Kubernetes to run its hundreds of microservices and has very recently migrated to a service mesh based architecture. As we grow, our infrastructure was becoming more complex and fragmented, our engineers less productive. Instead of writing code, teams were constantly interrupted by migration requests and spending more time looking for the right information just to get started. "Why do I need to migrate to newer helm chart again, I just upgraded it!" "This service isn’t responding, who owns it?" This talk will guide you how we fulfilled those challenges and fasten service mesh adoption through a developer friendly platform. The platform simplifies end-to-end software development with an abstraction layer that sits on top of our infrastructure and developer tooling.

A small thought experiment in automating the day to day life of a Salesforce engineer became a platform for productivity that was built on top of controller-runtime, CRD’s, kubernetes, kubebuilder and a CLI. Adopting the KRM, made it really easy for them to model their service lifecycle and expose a simplified abstraction that allowed service owners at Salesforce to skip daily mundane tasks and focus on their business logic. In this talk, they will show you how easy it is to use the kubernetes control plane to create control loops that can automate the SDLC of your company . They will also show you how to build an extensible PaaS platform on top of Kubernetes and your company's existing processes that does not constraint the users, but allows the service owners to see through the abstraction. You will not only leave the talk with an even greater appreciation for the KRM model and for the strength of kubernetes apis but also with a recipe for automating the SDLC of YOUR company.

If you are tasked with building a Software as a Service (SaaS) offering for your company products/components, you will need to make some big decisions, for example: one or more Cloud Providers, tools, creating your own abstractions, etc. From a developer perspective, this presentation covers tools in the Kubernetes ecosystem that will make your life easier when building a SaaS offering. This session cover tools such as Crossplane, Helm, CloudEvents for integrations and interoperability, Knative and Tekton to make sure that you have the flexibility to deploy your workloads in different cloud providers if needed. This presentation shows you in action tools that provide higher-level abstractions to help you to keep your implementations Multi-Cloud friendly.

Kubernetes provides powerful features and empowers developers to solve lots of use-cases. Do you want to do GitOps, Progressive Delivery, batch processing? Easy - there is a tool that provides an effective way of solving each problem. The email that notifies the team about successful deployment is the cherry on the cake and should not be hard to do, right? Well, the notifications support is not as straightforward as it sounds. Does your team prefer Slack, Telegram, or all of the above? Do you want to fine-tune notifications criteria and avoid spamming your team about each and every change? Do you need customized notification messages that include details specific to your environment? We have solved this problem for Argo by introducing a generic Notification Engine that powers a notification experience for Argo projects. You will learn how to leverage the engine to configure notifications for Argo projects as well as how to use it for any other Kubernetes-native application.